The University of Washington notified this week 6,000 employees that their names and social security numbers were on a computer system that was hacked. According to The Seattle Times, two parking management computer servers were hacked into starting around December 6th of last year. An initial on-site review showed obvious signs of a network intrusion prompting the University to take the servers off-line. The newspaper asked the question of why it took UW officials such a long time to notify the affected employees. Kirk Bailey, UW Chief Information Security Officer, stated that the computer forensic analysis was time-consuming, but necessary, in order to be as thorough as possible. What was not said is that by statute, businesses may delay notification of a breach in order to provide law enforcement officials time to investigate further. The facts from the article do not suggest that there was any sort of permission given to UW officials, so therefore a followup inquiry should be asked whether law enforcement permitted the delay in disclosing the data breach.

This breach highlights the reality that data governance needs to be on the top list of every organization. UW has the personnel and technical controls in place, and yet their system was allowed to be hacked into. One may want to inquire as to whether state budget cuts are affecting security controls for state-run agencies.